I’ve written here a couple of times about some of the security issues associates with industrial control systems, sometimes called SCADA systems (for supervisory control and data acquisition). These systems, which are used to control the electrical power grid, air traffic, telecommunications, and many other bits of infrastructure, are often connected to the Internet, though some of them were designed for an era of private networking. Even those systems developed more recently may carry a legacy of design assumptions and implementation techniques that leads to exploitable security vulnerabilities. The Stuxnet worm, which damaged nuclear centrifuge facilities in Iran, is perhaps the most notable recent example of an exploit.
The Stuxnet worm attacked control systems made by Siemens, but there are many vendors of these systems. Ars Technica reports an attack against a heating, ventilation, and air conditioning (HVAC) control system in New Jersey. The information was obtained from an unclassified FBI memorandum [PDF], published by the Public Intelligence web site.
Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.
The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others.
The systems in question apparently contain a network interface that provides direct access to a GUI administrative application, giving the same access as a logged-in system administrator, without requiring a password. In effect, the only information needed to take control of the system was the IP address (or a URL that points to it) of the Niagara system. At the New Jersey firm, and apparently at numerous other places, the system was connected directly to the Internet without a firewall. Subsequent to the start of the attacks against the New Jersey firm, the vendor, Tridium, and ICS-CERT released two advisories [PDFs] on vulnerabilities in the Niagara system. According to Tridium, more than 300,000 Niagara control systems are installed world-wide; a search by Ars Technica turned up more than 20,000 connected to the Internet.
As I’ve said before, many systems of this type got there start back in the days before ubiquitous Internet connections, and were originally designed with private, controlled networks in mind. (Having said that, it is hard to understand how anyone, regardless of circumstances, could think that a completely open administrative interface was a good idea.) As the article points out, connecting these systems to the Internet provides considerable convenience to their operators:
The incident underscores the prevalence of industrial control systems that are connected to the Internet. Security consultants have long considered the practice to be unsafe. Sadly, they say, the convenience of IT employees get from being able to administer those systems from home or other remote locations often trumps security concerns.
Getting that convenience by means of an Internet connection is cheap, in terms of out-of-pocket costs today, but the longer-term bill might be sizable. I hope it does not take a disaster to get people’s attention.